Stories like Catch Me If You Can (the tale of how con artist Frank Abagnale duped everyone in his orbit) envoke a desire in many people to be as clever and confident as Frank, who used his charm and wit to convince people of just about anything.
After a big data breach, it’s natural to look for a similar story about how an attacker used craft and cunning to trick their victim into “letting them in.” We imagine the attacker calling the victim with a convincing cover story. Something along the lines of, “This is Bill from IT, and I work with Janet— you know Janet? Well…I’m sorry you’re getting all those notifications on your phone at 3 a.m. If you give me that pin code, I’ll get it sorted for you.”
While this scene might make it into a movie, the real story behind today’s breaches is never about an isolated bad decision — it’s about the many decisions made long before a sleepy network administrator gets a call from an attacker.
In this article, I’ll discuss how companies can become more resilient to any attack or lapse so one moment of human weakness doesn’t lead to catastrophe.
How One Wrong Move Leads To A Massive Breach
In the recent breach of a major rideshare company, the attacker fooled their way in and managed to gain access to data in the company’s SaaS applications and cloud infrastructure in AWS and Google Cloud Platform.
We see attackers target data using the same techniques time and time again. They scan the environment for weaknesses: data that’s not locked down, accounts with weak passwords and passwords stored in plain, readable text. During this recent breach, the attacker found a password that let them into the system storing mass passwords, which gave them further access to more data on more infrastructure.
Data is where the money is — attackers know that we depend on its availability and secrecy. Data is also where the risk is and why we must focus on protecting it. After a breach, SaaS applications may remain intact, and cloud infrastructures can be recreated, but data can never be “uncompromised.” It’s much easier to keep the toothpaste in the tube than to put it back in.
Many executives might wonder, “Wasn’t the cloud supposed to make us more secure?”
In the cloud, someone else is responsible for ensuring applications stay secure. Someone else is responsible for patching the application and any dependencies, like databases and operating systems. Someone else is responsible for the network, the failovers, the HVAC, the fire suppression and the lock on the physical door.
With all these security concerns in the hands of the cloud provider, what’s left is to ensure only the right people can access the right data and access only what they need, and then verify that people are using the data for its intended purpose. That should be easy, right?
It’s not, and it’s more exposed than you might think.
Shedding Light On Cloud Risk
My company, Varonis, analyzed 15 petabytes of cloud data across 717 organizations from numerous industries, including financial services, healthcare and government. Four out of five companies (81%) left sensitive data exposed — to every employee or the entire internet.
The average organization has almost 20,000 folders and over 150,000 files shared publicly. What’s in these exposed files and folders? Over 100,000 publicly shared sensitive records in SaaS applications. In Microsoft 365 alone, the average organization had nearly 50,000 sensitive records shared publicly.
Many of today's exposures are possible because the cloud makes it easy for end users to share data without IT’s help or guidance. They can share data publicly and with fellow employees by clicking ‘share’ — and share they do. We found that employees create tens of thousands of sharing links in Microsoft 365. And many of those links give access to every employee. With so much sharing, the average organization now has over 40 million uniquely permissioned objects and many exposures that will never be seen or reviewed.
When it comes to the basics of the basics, despite the well-known security advantages of multi-factor authentication (MFA), the average organization has thousands of accounts — including administrative accounts — that don’t require it.
Making The Attacker's Job Harder
Accounts with a lot of access are data security time bombs, and their blast radius — the potential for damage after a compromise — is huge. When a single account or device is compromised, how much damage could it do, and how well will you be able to contain the damage?
Here are four steps to ensure that when one of your employees does fall victim to a clever attacker, the attacker’s job won’t be easy — they’ll have to work much harder to compromise your critical data:
- Reduce the blast radius. Minimize the damage attackers could do by locking down access to your critical data and ensuring that employees and contractors can access only the data they need to do their jobs.
- Find your critical data (and passwords). Find and identify critical data that’s at risk. Scan for everything attackers look for, including personal data, financial data and passwords.
- Embrace MFA. Enabling multi-factor authentication (MFA) makes you 99% less likely to get hacked.
- Monitor what matters most. Monitor how every user and account uses critical data and watch for any usual activity that could indicate a possible cyberattack.
This article first appeared on Forbes.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.
Co-Founder and CEO of Varonis, responsible for leading the management, strategic direction, and execution of the company.